I use Draytek routers almost exclusively as they have a great feature set and excellent hardware reliability (except the cheap Chinese ac-adaptors they supply – they still suck!) – these features outweigh their main problems, which I document here: Draytek Weirdness

One problem I find is that I always like to leave myself a few ways into a network: for example, if the main Windows server that terminates PPTP VPN is down I cannot PPTP in to the network to then connect to a server’s ILO/DRAC card and diagnose from there. Having direct port forwarding through to an ILO card, or the IP-KVM switch of a multi-server customer suddenly becomes important. While I could login to the Draytek router and add the port forward, do my work, then delete the port forward later, I’ll probably forget! Besides, it would be nice to have the port forward active 24*7 and have it locked down to just my IP address so it cannot be exploited as easily.

And this technique is useful for other “dangerous” port forward you may like to do but dont really trust the hardness of the application/service to defend itself from attack- VNC, FTP, basic single-purpose Web site, telnet access to a SCADA network at a nuclear facility….

With the Draytek firewalls you can add a data filter to block all IPs to a certain host/port combination *EXCEPT* your IP address. This is a neat trick and not well documented and different between many models of Draytek routers.

The key is to defining “all IP addresses EXCEPT MINE”, and to realise that some Draytek routers have a selectable “NEGATION” option while those that don’t allow you to prepend “!” operator to your IP address – as is usual in the IT world, the “!” /bang operator ‘negates’/’inverts’ the IP address, in this case “!203.206.169.114” means “all ip addresses EXCEPT 203.206.189.114” – so using this logic a simple filter to block everythign *except* our IP address suddenly becomes possible

So lets take an example – I want to forward RDP (tcp/3389) to my customers server (192.168.10.10) but only from one of my offices IP addresses (203.260.269.114)

V2800

This example is being done on a Draytek V2800 router. As I use this technique at every customer site from now on, if I notice significantly different router interfaces I will document the same procedure for them here.

1) OK First you define the standard port forwarding just as you normally would. This opens up a forward from *all* external WAN IPs to internal host IP for defined port(s)

This can now be locked down to a certain WAN IP address by adding a simple Data Filter Rule…

2) Go Into FIREWALL | Filter Setup – the Default config will show 2 pre-defined FIlter Sets – 1 is a Call filter and 2 is a Data FIler – we want to select “2 – Default Data Filter” The default config will now show one rule already active, so we hit the “2” button to open the Second Filter Rule

3) You give this rule a name, such as “Lock Down RDP”

4) Check the box to ENABLE to rule

5) Set the BLOCK/PASS to “BLOCK IMMEDIATELY”

6) Set DIRECTION to “IN”; Protocol to “TCP”

7) Set the SOURCE IP Address to “!203.260.169.114” and MASK to /32; leave any “source ports” blank or set to any as these are dynamic – note the “!” NEGATION here! This is vital

8) Set the DESTINATION IP to match your SERVERS’s IP (same as you used in the port forwarding); Destination Mask is /32; Destination ports FROM=1-65535(any)/TO =3389-3389

9) If you have Keep State or Fragments, leave them (and any thing else!) default

Thats it – click to save and now test by trying to telnet into that WAN IP on port 3389 from your IP address (it should ‘connect’ with blank screen) and a different public IP to yours (it should not connect)

You can also limit to *multiple* public addresses – to do this you chain (“Branch Out” Draytek call it) a few data filters, and also set some to “Block unless further match found”

Example Data Filter for V2820

Newer Draytek Models – IP Groups and “negation” is broken

We see above in step 7 that we need to “NEGATE” our Source IP address — this is so the firewall logic will apply to all IP addresses that match the rule “EXCEPT” our defined (and negated) IP Address

Newer routers from Draytek move towards IP Objects and IP Groups- these allow you to easily setup multiple IP addresses (IP Objects) into a single IP Group, and then use that IP Group in a rule — however this does not work when you are relying on the NEGATION or INVERSION – even just adding two IP Objects that are negated wont work — the logic inside the routers is faulty it seems and cannot handle ‘double negation’

I believe in this situation you need to create multiple, sequential Data Filter rules, one for each IP address you wish to pass, with the final one being the BLOCK rule – really messy – Draytek could have allowed using IP Groups

Hello,
I have also used Draytek routers for a long time and like the features that they include. I have used the firewall before to block access to a single IP for RDP etc but now i need to allow two IP’s access to RDP (3389) but i have never been able to get this to work on the 2830.
Is there a way that you know to allow two IP addresses only to get through the firewall to use Remote Desktop?
Any help would be appreciated.

The issue is trying to put two “negated” IP addresses in one fireall rule field.

The only thing I can think of is using IP Objects and IP Groups. Of course the router would need to support these – again, some models dont – I know the newer Drayteks do (V3200 for example, and I checked a customers V2830 and i has IP Objects/Groups too)

The ideas is you create two IP Objects, one for each external IP address == note that they should be “NEGATE” IP Objects (Negate options selected or use a exclamation mark ” !xxx.xxx.xxx.xxx “).

You then add these two IP Objects into an IP Group. You then use the IP Group in the firewall Data Filter

On a Vigor 2760n I had to setup a little differently.
Using previously mentioned methods I either ended up with all be passed or all being blocked.
This is what worked for me to allow access only to my SQL server and only from one public IP.